[RFC/PATCH v1 1/3] fix decoder of ioctl EVIOCGBIT
Zhibin Li
haoyouab at gmail.com
Sun Aug 19 10:51:10 UTC 2018
On Sun, Aug 19, 2018 at 4:04 PM Dmitry V. Levin <ldv at altlinux.org> wrote:
> On Sat, Aug 18, 2018 at 06:45:52PM +0800, Zhibin Li wrote:
> > OK, it's in linux/drivers/input/evdev.c:
> > line 812: in function handle_eviocgbit:
> > return bits_to_user(bits, len, size, p, compat_mode);
> > and then in function bits_to_user:
> > int len = BITS_TO_LONGS(maxbit) * sizeof(long);
> > ...
> > return copy_to_user(p, bits, len) ? -EFAULT : len;
> > Correct me if I'm wrong, thanks :)
>
> I wish you've written something like this in the commit message. :)
> I suggest to apply the fix as a separate commit, e.g.
>
> Subject: [PATCH] evdev: fix decoding of bit sets
>
> According to drivers/input/evdev.c:bits_to_user(),
> the Linux kernel returns the number of bytes, not bits.
>
> * evdev.c (decode_bitset_): Treat syscall return value as the number
> of bytes.
>
> diff --git a/evdev.c b/evdev.c
> index 7ca15c9dd..3c1aaa8e2 100644
> --- a/evdev.c
> +++ b/evdev.c
> @@ -171,10 +171,10 @@ decode_bitset_(struct tcb *const tcp, const
> kernel_ulong_t arg,
> tprints(", ");
>
> unsigned int size;
> - if ((kernel_ulong_t) tcp->u_rval > max_nr)
> + if ((kernel_ulong_t) tcp->u_rval > max_nr / 8)
> size = max_nr;
> else
> - size = tcp->u_rval;
> + size = tcp->u_rval * 8;
> char decoded_arg[size];
>
> if (umove_or_printaddr(tcp, arg, &decoded_arg))
>
> What do you think?
>
I agree. The fix for decoding of bit set isn't just about EVIOCGBIT. It also
affects other flags/cmds so I shouldn't mess this up with the fix for
decoding of EVIOCGBIT(0, ...)
>
>
> --
> ldv
> --
> Strace-devel mailing list
> Strace-devel at lists.strace.io
> https://lists.strace.io/mailman/listinfo/strace-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180819/99f7066a/attachment.html>
More information about the Strace-devel
mailing list